Ethical Hacking News
Next.js React framework has been hit with a critical vulnerability that can bypass authorization checks, leaving web applications exposed to malicious actors. The discovery serves as a stark reminder of the importance of staying informed and proactive in the rapidly evolving cybersecurity landscape.
A critical vulnerability has been discovered in Next.js React framework (CVE-2025-29927) with a CVSS score of 9.1. The exploitability of this flaw is attributed to an internal header x-middleware-subrequest used by Next.js. The vulnerability allows attackers to bypass authorization checks, putting sensitive web pages at risk. Similar flaws have been discovered in various web frameworks and libraries in recent years. Next.js developers have updated versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3 with patches to fix the issue. Patch is recommended for users who cannot apply immediate updates. Mitigation measures include preventing external user requests containing the x-middleware-subrequest header.
The cybersecurity landscape continues to evolve at an alarming rate, and this week's news is a stark reminder of the importance of staying vigilant against emerging threats. A critical vulnerability has been discovered in the popular Next.js React framework, leaving web applications vulnerable to attacks under certain conditions.
According to recent reports, the vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 out of 10.0, making it one of the most severe flaws ever reported in the framework. The exploitability of this flaw is attributed to an internal header x-middleware-subrequest used by Next.js to prevent recursive requests from triggering infinite loops.
"This vulnerability allows attackers to easily bypass authorization checks performed in Next.js middleware," stated JFrog, a company that specializes in cybersecurity solutions. "The ability to bypass these checks means that sensitive web pages reserved for admins or other high-privileged users can be accessed by malicious actors."
It's worth noting that this vulnerability is not an isolated incident; similar flaws have been discovered in various web frameworks and libraries in recent years. The impact of such vulnerabilities can be devastating, particularly if left unaddressed.
Fortunately, the developers of Next.js have taken immediate action to address this vulnerability. Versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3 have been updated with patches to fix the issue. However, for those who cannot or prefer not to apply these fixes immediately, it's essential to implement additional security measures.
One of the recommended mitigations is to prevent external user requests that contain the x-middleware-subrequest header from reaching the Next.js application. This can be achieved by configuring middleware to authorize users without relying on any additional checks.
Rachid Allam, a renowned security researcher credited with discovering and reporting this flaw, has since published detailed information about the vulnerability. As such, it's imperative that users take swift action to address this issue before it's too late.
The discovery of this critical Next.js vulnerability serves as a poignant reminder of the importance of staying informed and proactive when it comes to cybersecurity. With emerging threats like these on the horizon, it's essential for web developers and security professionals alike to remain vigilant and adapt quickly to protect their applications from potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-Vulnerability-Discovered-in-Nextjs-React-Framework-Leaving-Web-Applications-Exposed-to-Attacks-ehn.shtml
https://thehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html
Published: Mon Mar 24 07:46:46 2025 by llama3.2 3B Q4_K_M
